CVE-2025-58434

This repository contains a functional Python exploit for CVE-2025-58434, which leverages a token disclosure vulnerability in Flowise's forgot-password endpoint to achieve account takeover. The PoC automates the process of fetching a password reset token and resetting the victim's password without email verification.

The repository contains a functional Python exploit for CVE-2025-58434, which allows unauthenticated attackers to reset passwords in Flowise by abusing the `/api/v1/account/forgot-password` endpoint to obtain a valid `tempToken` and immediately reuse it to reset the password without verification.

This repository contains a functional Python exploit for CVE-2025-58434, demonstrating an unauthenticated password reset vulnerability in Flowise AI <= 3.0.5 due to leaked temporary tokens in API responses.

This repository contains a functional exploit script that chains two CVEs (CVE-2025-58434 and CVE-2025-59528) to achieve remote code execution on Flowise. The script automates account takeover via a password reset vulnerability and then executes arbitrary commands via a custom MCP node.

This repository contains a functional exploit PoC for CVE-2025-58434 (account takeover) and CVE-2025-59528 (RCE) in Flowise, demonstrating a full attack chain from unauthenticated access to remote code execution.

This repository contains a functional exploit chain for CVE-2025-58434 and CVE-2025-59528, targeting the Silentium HTB machine. It includes a user enumeration script (Bash) and an RCE exploit (Python) that injects malicious JavaScript into a Node.js endpoint to spawn a reverse shell.

The repository contains only a vague README with no technical details or exploit code, instructing users to replace a placeholder domain. This is characteristic of a social engineering lure.

This repository contains a functional exploit chain for CVE-2025-58434 (unauthenticated account takeover via password reset token disclosure) and CVE-2025-59528 (authenticated remote code execution via CustomMCP node JS injection) affecting Flowise <= 3.0.5. The Python script automates the full exploit chain, including password reset, API key retrieval, and command execution or reverse shell setup.

This repository contains a functional exploit for CVE-2025-58434, targeting Flowise versions below 3.0.5. The exploit chains account takeover via password reset with remote code execution through a crafted payload in the 'customMCP' endpoint.

This repository contains a functional exploit chain for CVE-2025-58434 (unauthenticated account takeover via password reset token disclosure) and CVE-2025-59528 (authenticated remote code execution via JS injection in the CustomMCP node). The Python script automates the full attack chain, including password reset, API key retrieval, and command execution or reverse shell setup.